Why we can't stop malicious insiders

Security experts have been saying for years that insiders -- malicious, careless or simply unaware -- are a greater threat to organizations, both public and private, than hackers.

And the world got another illustration in support of that argument last week when the most famous whistleblower of the moment, Edward Snowden, admitted he had leaked top-secret documents about the National Security Agency's (NSA) surveillance --both telephone and online --of American citizens to The Guardian and The Washington Post.

Snowden was technically not an NSA insider. The former CIA technical assistant was working for Booz Allen Hamilton as an infrastructure analyst for the NSA (Since admitting he was the source of the leaks, he has been fired). But, he had insider privileges, which is essentially all that matters.

[Related: NSA can access data without court approval, claims Snowden]

And that raises again the question of whether organizations should put more effort into securing themselves internally than in fighting to keep out malicious attackers. But it also raises the question of whether extra effort is even worth it, since neither training nor technology can stop every insider threat.

Snowden said in a video interview with The Guardian that his level of privileges meant that, "I, sitting at my desk, certainly had the authorities to wiretap anyone, from you or your accountant, to a federal judge or even the president, if I had a personal e-mail."

And even if he is extradited from Hong Kong and prosecuted, whatever damage has been done by exposing government secrets isn't going to be undone.

There is no universal agreement on the level of the insider threat, even though the Snowden case has received international attention. According to Verizon's 2013 Data Breach Investigations Report, insiders were responsible for only 14 percent of confirmed data breaches. "Our findings consistently show that external actors rule," the report said.

But other experts say the key word there is "confirmed." Gary McGraw, CTO of Cigital, said he suspects a majority of data breaches are never announced.

"I wouldnt be surprised if they (insider breaches) are understated."

Mike DuBose, a former Justice Department official who led the agency's efforts on trade-secret theft and who is now the head of the cyber investigations unit at the risk-management firm Kroll Advisory Solutions, told Brian Fung of National Journal that, "Amidst all the concern and discussion over foreign hacking, what gets lost is the fact that the vast majority of serious breaches involving trade secrets or other proprietary or classified information are still being committed by insiders."

[NSA surveillance controversy: Much ado about nothing new?]

McGraw noted that the power of insiders is demonstrated by the fact that the goal of hackers is to become insiders.

And the impact of insider breaches is more significant than frequency, said Carson Sweet, CEO of CloudPassage.

"While there may be a lower frequency of inside jobs, the impact that an authorized insider can wreak is typically far greater, and can happen over a longer period, than that of an outsider," he said. "Having an employee go rogue --especially one in a privileged position --can turn catastrophic very quickly."

But it is simply not possible to stop all insider attacks or breaches, experts say.

"Nothing is perfect," said Bruce Schneier, chief security technology officer at BT and author/security guru. "Because something bad happened doesn't mean something went wrong."

Schneier noted that there are thousands of other people like Snowden -- government contractors who have top-secret security clearances. Indeed, The Daily Beast's Laura Colarusso reported that a required report from the president to Congress showed that as of October 2012, about 1.4 million people had top-secret security clearances, and more than 480,000 of them were government contractors.

"It's amazing that it works as well as it does," Schneier said."If it wasn't working, there would be a leak like this once a month. The reality is that most people are trustworthy most of the time."

Still, there is a role for technology in combating insider threats, malicious and otherwise. McGraw, Sweet and Schneier all say every organization should "compartmentalize," so nobody has privileges everywhere.

"You don't give anyone a key to every room in the office," Schneier said. "You limit the trust you put in people."

"How would it feel to walk in the front door of your bank -- the firewall -- and see all the money, documents, etc. piled in the middle of the room?'" asked Sweet. "Assets need to be compartmentalized, like a bank has tellers behind high counters, safe deposit boxes and vaults."

"In accounting, you have double-entry bookkeeping," McGraw said. "You have debits and credits in different books, and you have to balance the books. You have processes set up in banks so one person doesn't have all the power, so you limit the damage that any one person can do."

McGraw, who has been an outspoken evangelist for "building security in" to cyber infrastructure, rather than trying to "bolt it on after the fact," said those designing systems for security should ask themselves what would happen, "if any part of a system was controlled by a bad guy."

Sweet said cloud and virtualization technologies, especially dynamically automated control systems, "make dynamic compartmentalization of internal resources a hands-off process. Companies and agencies need to start using these technologies. They can 'see' when something bad is going on, even if it's for an authorized user."

The Snowden case is also a reminder that security, on any level, can be improved by rigorous background checks and personality profiling. McGraw said heavier screening of developers and architects is worthwhile, since, "the worst kind of insider would be a rogue developer, who have the ability to create systems that will do anything they want."

Technology and training can also help protect the organization from workers who are not malicious, but who fall victim to scams like phishing.

"You can do things like virtualizing browsers or mail accounts, so if they click on something, you can see that its not kosher," McGraw said. "But you need to understand that they are going to get phished."

Sweet said companies should, "hit their employees constantly with company-managed phishing attacks. This is a service you can pay trustworthy outside providers to do. It keeps the awareness level exceptionally high."

Schneier added that things like one-time passwords can help protect against employee vulnerabilities.

But nothing is foolproof.

"These are all tricks around the edges," Schneier said. There is no panacea. There will always be exceptions. You are never going to catch everything."

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about BT AustralasiaKrollNational Security AgencyNSAStrategy&TechnologyVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place